Does Fannie Mae require us to review the work of our Quality Control vendor?
Yes, Fannie Mae requires a mortgage lender’s Quality Control Plan to include processes for reviewing the third party QC vendor’s work to ensure that the lender’s requirements and guidelines are applied consistently and that the review results accurately reflect the quality of the lender’s loan originations. The review must be performed at least monthly on a minimum of 10% of the post-closing QC sample reviewed by the vendor to validate the accuracy and completeness of the vendor’s work. The 10% sample must include loans for which the vendor identified defects and for which no defects were identified. Further, this review must be performed by the lender itself and cannot be contracted out.
In a previous FNMA Selling Guide update with an effective date of January 1, 2020,Fannie Mae added provisions requiring a lender’s monthly QC reports to include final results of the 10% QC vendor review. The reports must be completed within 30 days following the publication of the vendor’s final QC management report.
Although Fannie Mae does not specify an exact format, the reports must be useful to management in evaluating and monitoring the quality of the outsourced QC service provider. The reports, at a minimum, must include:
• a description of the sample selected for review,
• concurrence rates, and
• discrepancies identified by the lender.
The management reports must focus on inaccuracies uncovered in the current month’s review, as well as broad trends revealed by the vendor QC review process, identifying specific corrective action that is needed.
How will the December 28th, 2019 effective date of the Taxpayer First Act affect me as a lender or servicer?
The Taxpayer First Act was signed into law on July 1, 2019 and goes into effect on December 28, 2019. It requires taxpayers to provide consent for the express purpose for which their tax return information will be used. Additionally, taxpayers must provide their express permission for their tax return information to be shared with any other party. “Tax return information” is defined under the IRS Code, 26 U.S.C. § 6103.
Therefore, if a lender or servicer obtains tax return information during the origination or servicing of a mortgage loan, the lender or servicer must obtain express consent from the taxpayer prior to sharing the tax return information with another party. Such sharing would extend to actual or potential owners of the loan, such as Fannie Mae or any other loan participant.
The IRS has indicated that it has no plans at this time to provide a standard form related to disclosing or sharing tax return information with other parties. However, the Mortgage Industry Standards Maintenance Organization (MISMO®) drafted a sample Taxpayer Consent Form designed to allow sellers/servicers to share tax return information with other loan participants. (available to MISMO members). Many document providers have also prepared a consent which will be added to the early disclosures. Sellers/servicers may also prepare their own taxpayer consent form, as long as the form provides the purpose for which the tax return information will be used and provides the seller/servicer with express permission to share tax return information in accordance with the law.
I read something recently about updates to Georgia’s background check requirements for lenders licensed in Georgia. What’s changed?
Georgia (GA) recently updated its requirements with regard to pre-hire employment background checks to add a requirement to check the NMLS Consumer Access, in addition to the GA Department of Banking and Finance’s (Department) website for public records related to the prospective hire. All employee files (not just employees working in GA or on GA loan files) must contain proof that both of these searches were run prior to hire in the form of a screen shot or print out.
Any licensee that fails to examine the Department’s website and NMLS Consumer Access prior to employment in order to confirm employment eligibility may be subject to a fine of $1,000 for each violation.
For the Department search, a mortgage company should visit https://dbf.georgia.gov/mortgage-information-and-searches and click on “Mortgage Administrative Actions” to run the search.
Separately, there is an additional Georgia-specific search that must be run on “covered employees.” Covered employees include those employees who physically work in the state of Georgia and who may enter, delete, or verify any information on any mortgage loan application form or document. For these individuals, Georgia requires background checks be run through the Georgia Crime Information Center (GCIC). Please see https://dbf.georgia.gov/sites/dbf.georgia.gov/files/related_files/document/GA-Employee-Background-Checks.pdf for more information.
It is also important to note that Georgia maintains a strict prohibition against employing any individual with a felony. GA imposes this prohibition without time restrictions and extends it to all employees, whether or not the employee is located in GA or works on GA loans. Failure to abide by this restriction may result in suspension or revocation of a mortgage company’s GA lender license.
Is it compliant for a mortgage lender to permit a mortgage broker to select the appraisal management company (“AMC”) from which to order an appraisal if the lender provides the broker with a list of authorized AMCs?
No. This process provides the broker with an element of responsibility for selecting and/or retaining the appraiser, and is, therefore, not compliant with the Appraiser Independence Requirements (“AIR”). Fannie Mae has recently been citing Seller/Servicers in relation to this issue. It does not matter if the lender is responsible for the relationship with the AMC, including compensation.
Notably, a lender may direct a mortgage broker to one specifically authorized AMC if the lender has previously arranged for its appraisal process to be managed by that particular AMC. This process is compliant with AIR because the lender, and not the mortgage broker, is responsible for selecting and/or retaining the appraiser. Additional FNMA AIR FAQs can be found here.
Do both Oregon and Washington tie licensing requirements to an applicant’s residency(not just the location of the subject property)?
Yes, as detailed below:
- Washington requires an individual to hold a Washington MLO license if the individual offers mortgage brokering or loan origination services (i) to Washington state citizens or (ii) for property in Washington State.
° Example: if an applicant is a “resident” of Washington and looking to purchase a home in Texas, the MLO assisting the applicant with his/her mortgage loan would need to be licensed in both Texas AND Washington.
- Oregon requires an individual to hold an Oregon mortgage loan originator (“MLO”) license if the individual takes a mortgage loan application or offers or negotiates the terms of a mortgage loan (i) to Oregon residents, (ii) for property located in Oregon State, or (iii) from a fixed physical location in Oregon.
° Example: if you have a MLO working in Oregon but doing a loan for someone in Florida, that MLO would need to be licensed as an Oregon MLO, in addition to a Florida MLO.
- Links to the applicable WA and OR regulations and NMLS checklists and description requirements are also included for your reference:
What are the best practices for Group Policy Object (GPO) settings for Active Directory accounts?
First of all, if you don’t know what this is and you manage Risk, Compliance, and/or Data Security, please forward to your IT department for their review and to confirm your company meets or exceeds the best practices outlined below. If this isn’t a foreign language, please keep reading. The most commonly used method for user authentication in corporate environments is an Active Directory account with policies and Group Policy Object (GPO) variables set in Group Policy. Whether or not your organization utilizes Active Directory to manage permissions and access to networked resources with GPO defining what a system will look like/how it will behave, the following best practice recommendations are fundamental to security variables in any environment and authenticating application:
- Account lockout after 5 failed login attempts;
- A lockout duration of at least 25 minutes when a lockout occurs;
- A password expiration policy set to every 90 days at a minimum;
- Complex password requirements: 1 capital letter, 1 lowercase letter, 1 number, 1 special character, at least 8 characters long;
- Password history requirements: inability to use previous 12 passwords and;
- Idle timeout requirements that lock the end-user’s terminal after 10 minutes of inactivity.
Setting the aforementioned variables along with policy implementation and enforcement provides an additional layer of security to accounts and end-user workstations.
Does Fannie Mae require its Seller/Servicers to perform an independent audit of the Post-Closing QC Process? If so, what’s changed?
Yes, in an August 7, 2019 announcement, FNMA added further guidance to its Lender Post-Closing QC Review requirements. Chapter D1-3-06 of the Selling Guide specifically calls for an independent audit of the Lender’s QC processes and procedures.
The lender must have an independent audit process to ensure the following:
- Its post-closing QC process and procedures are followed by the QC staff.
- Assessments and conclusions are recorded and consistently applied.
- Findings must be accurately recorded and consistent with the defects noted in the lender’s system of record.
Results of the QC audit must be distributed to senior management. The audit results must include an affirmative statement that no influence from other business units or bias in the QC conclusions was apparent. Management must distribute the results to the appropriate areas within the organization and an action plan must be established for remediation or changes to policies or processes, if appropriate. The lender must provide a copy of the QC audits and the audit of the QC process to Fannie Mae upon request.
Requirements related to QC independence must be incorporated into the lender’s QC plan and implemented by January 1, 2020.
Has there been a recent change to the implementation date for the redesigned Uniform Residential Loan Application?
Yes, in a recent joint announcement made by Fannie Mae and Freddie Mac, the mandatory use of the redesigned Uniform Residential Loan Application (URLA) has been postponed to an unspecified date in the future. At the direction of the Federal Housing Finance Agency (FHFA), Fannie Mae and Freddie Mac (the GSEs) announced in June 2019 that the optional use period for the redesigned URLA and automated underwriting system (AUS) implementations would be delayed. FHFA has now directed the GSEs to make specific modifications to the URLA which include:
• The removal of the following questions from the redesigned URLA form. Instead, a voluntary consumer information form, separate from the URLA form, will be developed to collect this information.
• The Language Preference question (Borrower Information, Section 1a.)
• The Homeownership Education and Housing Counseling question
(Lender Loan Information, Section L5.)
• In the Borrower Information, Section 6: Acknowledgments and Agreements, the statement on “Use and Sharing of Information” will be revised to address specific uses of borrower data.
• The Military Service question (Borrower Information, Section 1a.) will be moved to a new section adjacent to Section 7: Demographic Information.
• Minor edits for consistency and usability will be made throughout the URLA form.
To allow industry participants time to make the necessary changes, FHFA and the GSEs will be extending the deadlines for implementation of the URLA and AUS datasets. The mandatory use of the redesigned form and data will no longer begin on February 1, 2020. The agencies will assess the impact of these changes to the timeline and will provide more information about the new implementation dates as soon as it is available.
Has Fannie Mae recently updated its Title Insurer Requirements?
- Duly authorized and licensed, as required, to issue title insurance in the state where the property is located; and
- Further evaluated in accordance with the lender’s procedures for title insurer approval, which may include factors such as:
- Duly authorized and licensed, as required, to issue title insurance in the state where the property is located; and
- • an acceptable rating from a rating agency,
- • financial strength of the title insurer,
- • adequate reserves,
- • record related to satisfactory title claim resolution, or
- • strength of a reinsurance arrangement subject to the guidelines below.
Additionally, for Insurers Covered by Reinsurance:
- If the lender accepts an insurer based on the strength of a reinsurer, both the primary insurer and the reinsuring company must be licensed, as required, to issue title insurance within the state where the property is located and are in good standing with that state’s insurance regulator.
- Both insurance carriers must execute an Assumption of Liability Endorsement (Form 858) or an equivalent endorsement that provides for 100% reinsurance of the primary insurer’s policy and a 90-day written notice of termination of the reinsurance agreement. The alternative endorsement must be attached to the title insurance policy for each individual mortgage.
Lenders can take advantage of this policy change immediately; but must implement the change for title insurer acceptability for loan applications dated on or after September 1, 2019.
Does Georgia have specific requirements with regard to a mortgage loan originator (“MLO”) acting under Temporary Authority (“TA”)?
Yes, effective January 9, 2020 the Georgia Department of Banking and Finance (the “Department”) requires the following with regard to Temporary Authority:
- All advertisements mentioning a MLO’s ability to act as an MLO in GA must “clearly and conspicuously” disclose that the MLO is operating under Temporary Authority in the state, is not currently licensed in GA, and has a pending application with the Department, which may be granted or denied.
- A MLO purporting to operate under the TA must indicate “TAO,” “temporary authority to operate,” or a substantially similar designation next to the signature line on any document, application, or disclosure signed by the MLO in connection with any residential mortgage loan application, including but not limited to the negotiation of terms or the offering of a loan.
- Any MLO who qualifies to operate under TA must submit proof to the Department of enrollment in a class to satisfy GA’s MLO education requirements, as well as registering to take the test as required by O.C.G.A. § 7-1-1004(f). Such proof shall be submitted to the Department within thirty (30) days of receipt of the MLO’s application.
- Mortgage companies must maintain in their journal of mortgage loan transactions clear identification regarding when any MLO utilizes TA at any point in the application or loan process, as well as the final status of the MLO’s GA license application.
- Requires mortgage lenders and brokers sponsoring MLOs operating under TA to provide a written disclosure in at least 10-point bold-faced type to an applicant on the date the applicant signs an application or any disclosure, whichever occurs first. The disclosure must be signed by the applicant and must include the following language:
- “The Georgia Department of Banking and Finance requires that we inform you that our company is licensed but the mortgage loan originator responsible for your loan is not currently licensed by the Georgia Department of Banking and Finance. The mortgage loan originator has applied for a mortgage loan originator license with the Georgia Department of Banking and Finance. Federal law (12 U.S.C. § 5117) authorizes certain mortgage loan originators to operate on a temporary basis in the state of Georgia while their application is pending. The Georgia Department of Banking and Finance may grant or deny the license. Further, the Georgia Department of Banking and Finance may take administrative action against the mortgage loan originator that may prevent such individual from acting as a mortgage loan originator before your loan closes. In such case, our company could still act as your broker or lender.”
This disclosure provision becomes effective April 1, 2020.
Does HUD require its approved Mortgagees to check its employees against the exclusionary lists after they are hired?
- Excluded Parties List: The Mortgagee must verify employee eligibility for all officers, partners, directors, principals, managers, supervisors, loan processors, loan underwriters, loan originators and all other employees and Affiliates participating in HUD programs for or on behalf of the Mortgagee using the
- Limited Denial of Participation: The Mortgagee must verify employee eligibility for all officers, partners, directors, principals, managers, supervisors, loan processors, loan underwriters, loan originators, and all other employees and Affiliates participating in HUD programs for or on behalf of the Mortgagee, using the
- National Mortgage Licensing System and Registry: The Mortgagee must verify that all employees and Affiliates participating in HUD programs for or on behalf of the Mortgagee are registered with the
- , unless excluded from NMLS requirements by law or regulation.
- Required Documentation: Mortgagees must maintain documentation that supports each employee’s eligibility.
In addition, HUD requires Affiliate monitoring as indicated in Chapter V.A.2.b.ii of the HUD Handbook 4000.1. HUD defines the term as follows: Affiliates are contractors, agents, vendors, sub-servicers, and sponsored TPOs who participate in FHA programs on behalf of an FHA-approved Mortgagee.
- Affiliate monitoring must include a periodic (semi-annual at a minimum) re-verification of the Affiliate’s compliance with all applicable laws related to licensing, qualification, eligibility, or approval to originate or subservice Mortgages.
- Required Documentation: The Mortgagee must document the methodology used to review Affiliates, the results of each review, and any corrective actions taken as a result of review Findings. The procedures used to review and monitor a Mortgagee’s Affiliates must be included in the Mortgagee’s QC Plan.
My company’s loan originators (“LOs”) use social media to market themselves. What are some key controls I should put in place to monitor their activity?
What are Fannie Mae’s internal audit requirements?
As a Mortgagee, am I required to notify FHA if my company’s net worth decreases or I experience operating losses?
Did the U.S. Department of Housing and Urban Development (“HUD”) recently issue guidance on the use of Third Party Verification Services?
Is it a conflict of interest for my company’s Quality Control (QC) Manager to also be in charge of Post–Closing? Post–Closing is not a production role but it does fall under Operations and I want to make sure my organization stays compliant with regulators and investors.
Did the U.S. Department of Housing and Urban Development (“HUD”) recently issue guidance on the use of Third Party Verification Services?
Yes, on February 15, 2019, HUD published Mortgagee Letter 2019-01, which specifically authorized the use of Third Party Verification (“TPV”) services to verify a borrower’s employment, income and asset information. The Mortgagee Letter explained that “TPV provides an alternative means for verifying a Borrower’s employment, income, and assets the requirement for a Mortgagee to collect paystubs, W-2s, and bank statements.” HUD explained this revision is meant to align HUD policy with industry practice. The revised HUD Handbook 4000.1(the “Handbook”), issued March 27, 2019, indicates a Mortgagee may use contract support for administrative, human resources, and clerical functions including TPV. The Handbook further explains that TPV refers to a process through which a Borrower’s employment, income, and asset information is verified directly by the Mortgagee with a Borrower’s employer or financial institution, through the services of a third-party vendor. The Mortgagee must still obtain the Borrower’s authorization to verify the information needed to process the mortgage application as more fully set forth in the Handbook.
Did the U.S. Department of Housing and Urban Development (“HUD”) recently clarify its requirements in relation to documenting the transfer of gift funds?
- If the gift funds have been verified in the Borrower’s account, obtain the donor’s bank statement showing the withdrawal and evidence of the deposit into the Borrower’s account.
- If the gift funds are not verified in the Borrower’s account, obtain the certified check, money order, cashier’s check, wire transfer, or other official check (pg. 230).
What requirements do residential mortgage lenders have in regard to notifying their Board of Directors (the “Board”) and/or Executive Management of suspicious activity report (“SAR”) filings?
- Customer’s name and any additional suspects;
- Social Security Number or TIN;
- Account number (if a customer);
- The date range of suspicious activity;
- The dollar amount of suspicious activity;
- Very brief synopsis of reported activity (for example, “cash deposit structuring” or “wire transfer activity inconsistent with business/occupation”); and
- Indication of whether it is a first-time filing or repeat filing on the customer/suspects.
When does transitional licensing go into effect and how will it work?
- qualified MLOs who are changing employment from a depository institution to a state-licensed mortgage company; and
- qualified state-licensed MLOs seeking licensure in another state.
Should I maintain a visitor log at my front entrance?
Yes, visitors pose a risk to privacy and security. All companies, especially those in the financial industry who handle consumer non-public and confidential information (NPPI/PII), should maintain a visitor log at each office entrance in order to audit visitors and ensure only authorized individuals are permitted to access the facilities. At a minimum, a visitor log should include the date, time in, visitor’s name, person being visited, reason for the visit, and time out. The employee permitting the visitor should verify the visitor’s identity by reviewing the visitor’s government-issued photo ID to ensure they are who they say they are. A visitor log will also serve as a vital reference tool in the event of unforeseen events (i.e. theft, active shooter situations, or incident breaches) and in an emergency evacuation as it will help accurately account for individuals present within the facility. Mortgage lenders should review branch office visitor logs as part of their branch office oversight procedures to ensure they are being maintained appropriately.
If my third-party provider (“vendor”) has access to consumer personally identifiable information, should provisions addressing the protection of such information be included in the Contractual Agreement with the vendor?
Yes, written agreements with third-party providers should address potential risks associated with data breaches — particularly when the vendor has access to consumer personally identifiable information. The vendor contract is a vital element of the vendor due diligence process and relationship. The contract should capture the nature of the relationship and set forth the contractual rights, obligations and duties of each party. This includes confidentiality requirements, responsibilities in the event of a breach, and liability provisions. Since written contracts are a critical component of a sound vendor management program, regulators may review them with a degree of scrutiny. Failure to maintain sufficient protections within vendor contracts and address risks appropriately may result in unsatisfactory results during a regulatory review or examination. Additionally, insufficient contract protections could expose a company to added civil liability in the event of a breach.
Why is it important to have an adequate compliance training program?
It is important for a residential mortgage lender to develop and implement a written compliance training program to provide employees with the tools needed to succeed given the various rules and regulations that apply and because of the constant regulatory changes. Regardless of a residential mortgage lender’s size, a well-developed compliance training program is a critical component to an effective compliance management system (“CMS”). As part of a thorough CMS, a robust training program helps a company and its employees keep up-to-date on regulatory changes that may impact the business, make correct decisions, manage risks, and avoid costly errors or other legal and/or compliance missteps. A residential mortgage lender’s compliance training program should be current, effective, and commensurate with the entity’s size and risk profile. Oftentimes, this requires training courses to be specifically tailored to reflect how a company operates. It is important that all employees be familiar and in full compliance with a company’s policies and procedures, as well as federal and state consumer protection laws. Employees should also receive comprehensive training based upon their job functions and responsibilities. Per the Consumer Financial Protection Bureau’s Summer 2013 Supervisory Highlights edition http://files.consumerfinance.gov/f/201308_cfpb_supervisory-highlights_august.pdf, mortgage lenders must provide ongoing training to Board members management and staff. Further, certain federal and state rules and regulations require training on specific subject matters at least annually. For example, mortgage lenders must provide anti-money laundering and privacy/security awareness training at least annually. It is recommended that all training (whether informal or formal) be tracked and memorialized so that a mortgage lender can demonstrate to its regulators that employees are properly completing courses. Further, requiring a test component helps ensure employees are sufficiently grasping the material presented. It is important to note that no two compliance training programs will be identical. Your company’s size, organizational structure, and geographical reach may dictate the structure of your program.
I’m applying for Fannie Mae approval but am unsure of the difference between a Quality Control Audit (QC) and Internal Audit. What exactly is the difference?
A mortgage lender is required, for a variety of reasons, to implement a QC program that identifies credit and/or regulatory issues in its origination and servicing functions, as applicable. A QC audit looks at the end product, regardless of whether the process is credit or compliance focused. Generally, QC audits, which are forms of transactional testing, are narrower in scope than Internal Audits. Internal Audits review for and identify a variety of items such as credit, regulatory, operational, financial, and reputational risks. An Internal Auditor looks at the process itself and independently evaluates the risks and control activities within the process. To this end, an Internal Auditor will perform a number of tasks, such as review policies, procedures, and reports, conduct management interviews with the respective business units to gather information on the process evaluated, document evidence of the process through walkthroughs, and perform transactional testing, as needed. The focus is not necessarily on the end product as is the case with a QC audit, but rather the focus is on the adequacy, soundness, and effectiveness of internal controls within a process to ensure that the mortgage lender attains the end result sought while complying with Agency and investor guidelines, laws and regulations and industry best practices.
When will it be mandatory to use the new Uniform Residential Loan Application (URLA) and what are some of the changes?
- New fields have been added based on new federal regulations. For example, there are correct fields for the new demographic information required by HMDA since January of 2018 thereby retiring the Demographic Information Addendum currently utilized.
- Obsolete fields have been eliminated. For example, the applicant is no longer required to list the make and model of their automobile.
- There is defined separation of individual borrower applications.
- The information a borrower must provide, acknowledge and agree to has been separated from the information the broker/lender collects and verifies in connection with the processing and underwriting of the loan.